In Defense of WordPress

Getting started with with WordPress is quick and easy. Which has made it extremely popular. But as WordPress popularity has grown, so too has the giant target on its back.

But with some basic settings, policies and plugins, you can protect yourself from 99% of the attacks you might face.

Before we get into the gory details, it’s worth noting that there’s simply no way to make WordPress (or really anything) 100% impregnable. Even with the most sophisticated technology, teams of smart people and a lot resources dedicated to security, large corporate and government websites get hacked.

The top five user names being attempted are admin, test, administrator, Admin, and root. The top five passwords being attempted are admin, 123456, 666666, 111111, and 12345678.

Don’t use these. Instead, use a strong password generator tool for both user names and passwords. If you have trouble remembering difficult user names and passwords, I suggest a password manager like Last Pass.

Among some other tips and plugins, Daniel Smeek recommends hiding login error messages by adding the following code to functions.php:

add_filter(‘login_errors’,create_function(‘$a’, “return null;”));

Also, don’t email user names and passwords. And if you do have to give someone else access, create a unique user for them. If you simply won’t do that, change your user name and password each time you give someone else access. Finally, don’t store user names and passwords on your computer. You have a soft underbelly.

Avoiding common user names and passwords is a very simple way to protect against brute force attacks.

Avoid Public WiFi

Put simply, don’t connect to WiFi hotspots without a secure VPN in place. Hint: Your Starbucks probably doesn’t have a secure VPN in place. If you’re using WiFi at home or at the office, create a very strong password, implement WPA2 and don’t show your SSID.

Updates

The internet battle between good and evil continues to rage on. Which means you need to be constantly vigilant in applying updates to:

Core WordPress installation

Theme files

Plugins

As I stated above, before you apply updates, make sure you have working backups of your site files and database.

I can’t tell you how many WordPress installations I see that are running really, really, really old versions of WordPress. Failing to update these files is one of the best ways to guarantee that you get hacked.

Secure Hosting

Choose a host that knows security. Specifically, WordPress security. WP Engine, which is more expensive than your standard economic hosting, is among the best.

If you want to save on hosting, you might consider password protecting your wp-login.php file.

.htaccess

If you’re tech-savvy, you might be able to add some security to your .htaccess file (you probably should have a developer do this for you). Here are some things you should consider adding (talking to your developer about):

If you want to see the specific code for how to implement these, Sam McRoberts lays it out in his Definitive Guide to WordPress Security. You can find a couple additional useful .htaccess configurations here.

Plugins

When most WordPress users want to add some additional functionality to their installation, they immediately think: Plugins to the rescue!

Don’t think like this. Use plugins very judiciously. Read-up on plugins before installing. Get help from a developer.

Only after you’re confident in the safety, security and support of the plugin, and only after you’ve created a recent backup, you might turn to plugins to help with security. Here are a few to consider:

Over in The LAB, a few years back, Greg recommended checking out Perishable Press as a good WordPress security resource. And Sam recommended the Exploit Scanner plugin. Perhaps they’ll update us on what they’re reading / using for security now.

The WordPress plugin directory has many more security plugins. Again, I encourage you to limit your reliance on plugins in general. And be sure that you are confident in the safety and support of those that you choose to install and activate.

As anyone who has been hacked will tell you, getting hacked and recovering from a hack is not fun. Taking the time to take some preventative measures and instituting some commonsense security policies at your firm will help you avoid 99% of the most common security issues you’re likely to encounter.

Have a WordPress security question or tip you’d like to share? Feel free to post below.

Gyi Tsakalakis helps lawyers earn meaningful attention online because that's where clients are looking. He tends to write about legal marketing technology. He misses coaching football and is happy to discuss various strategies and techniques of defensive front seven play.

Great tips. I was tweaking my .htaccess file this weekend, where I block access to the login page from all but my main IP address. I commented it out and was surprised that there were immediately login requests in the logs. It’s easy to forget that the automated attacks are unceasing. Like Sam, I use the Limited Login plugin on a site that has multiple editors, and a captcha plugin like Blue Captcha can double up the challenges on the login page. Thanks for the list of suggested plugins.

There are several comments I’d like to make and only a little time to make them with.

First, WordPress is an excellent platform if you know what you are doing with it. If you are a large law firm concerned foremost about security, you should consider the WordPress VIP program, that caters to your type of enterprise. If, on the other hand, you are self hosted there is a lot you can do to both to test and to harden your site.

Brute force attacks typically happen on a rotating IP address using a botnet of other websites, so you can’t just block all IPs from Nigeria for 24 hours and be done with it. Login limiters are of dubious utility because of this as well. Unless you have a hands-on security setup in place, the tips that will best help you include:

[a] Block author scans/enumeration. If you visit http://gop.com/?author=1 you will immediately learn that this is a user named “myadmin” and the fact this account is in the #1 slot, if you want to take down the GOP’s website, you’ve got a very good point of entry. A simple bit of htaccess listed here: will solve the problem.

[b] If you know someone who can use the software at wpscan.com (see the linked BackBox distro) then you can use many of the tools that hackers will employ against you to probe your site.

[c] Don’t just install every security plugin under the sun. In fact, don’t install a ton of plugins you don’t really need. Plugins aren’t bad but many aren’t written as well as you would hope.

[d] Better WPS, mentioned above, is the best of the plugins but it will also break your site if you aren’t careful. Bulletproof security is good too because you can configure it then disable the plugin. They cover very different approaches with only a little overlap. The difference being that it’s easy to replicate Bulletproof without a plugin.